Ransom Management

How Winter Came for HBO

HBO should be enjoying the return of some its biggest properties this summer, not least the world’s biggest TV show, Game of Thrones. Instead the network has found itself dealing with various hacks and leaks. Daniel Davies breaks down what HBO has learned from its awful summer

Summer 2017 was supposed to be party time at HBO: executives high-fiving in the hallway; creatives walking into work and throwing their thumbs up at colleagues in the style of the Fonz from​​​​​​​ Happy Days and ratings being delivered that prompt the same feelings of euphoria that, spoiler alert, the world felt when Jon Snow came back from the dead.

Because summer 2017 was meant to be the time that HBO’s biggest ever show returned for its penultimate season; after a six-year hiatus, HBO’s critically acclaimed Curb Your Enthusiasm readied itself to return, and fan-favourite series like Insecure and the Dwayne “The Rock” Johnson-led Ballers were once more being talked about around water-coolers everywhere. But hackers ruined all that, and it’s fair to say HBO isn’t happy.

HBO’s awful summer began when a group of hackers operating under the name “Mr Smith” claimed that they were in possession of 1.5TB of data – including unreleased shows and potentially sensitive internal documents – which would only be returned if the hackers were paid millions of dollars in bitcoin. HBO stood firm, though, and refused to bend the knee, but without a Daenerys or her dragons to, predictably and boringly, save the day, the hackers released episodes of HBO shows Curb Your Enthusiasm, Ballers and Insecure, as well as scripts from Game of Thrones.​​​​​​​​​​​​​​​​​​​​​​​​​​​

But much like Sony and Cersei before it, HBO wasn’t only dealing with one enemy. It had to deal with hacks and leaks from the North, South, East and West. So while it was being threatened by Mr Smith, the broadcaster was also forced to contend with its own partners and third-party affiliates leaking shows early, and another hacking group, OurMine, gaining access to the Twitter feeds of various HBO shows.

So summer has been pretty terrible for HBO, so much so that you’d forgive the showrunners at some of the network’s biggest properties for thinking winter is here. But is the hackers’ war against HBO over now or is the only war that matters for HBO here and just about to begin?

Insider leaks: Trusting the little guys

While the Mr Smith hack grabbed most of the headlines and provoked the public ire of HBO, it was arguably leaks from malicious and accidental insiders that did most damage. This was certainly the case with regards to the network’s biggest property, Game of Thrones, with two episodes of the hit show’s seventh season being leaked.

The first episode leak was allegedly committed by four men in India who are said to have smuggled the episode out of Prime Focus Technologies, a company that works with Star India, which carries HBO in that country. The second instance was an example of HBO, to quote DJ Khalid, playing itself. HBO Nordic and HBO España mistakenly aired the sixth episode of Game of Thrones’ seventh season for an hour, in which time it was ripped, put on torrent sites and downloaded all over the world.

“You are dependent on your smaller and more remote partners to do as good security as you do.”

“Insiders have often been the source of leaked material – see for example the bookHow Music Got Free, in which it turns out that a major source of music posted online was a worker in one of the CD manufacturing facilities,” says Wendy Grossman, who is a member of the Advisory Council for the Open Rights Group.

“I believe the discs sent to Academy members for voting on the Oscars are now individually coded so they can tell whose disc is the source of any online copies that are made [because] before that, I've certainly seen screeners pop up online.”

The reason that leaks from third parties are more damaging to HBO than an actual hack is that however secure HBO believes it is, it still has little say in how media companies like Star India or Prime Focus Technologies defend their data, and that’s a problem.

“This sort of thing is a problem throughout supply chains: you are dependent on your smaller and more remote partners to do as good security as you do. After a certain point you have to trust insiders or you can't get anything done,” says Grossman.

Responding to ransoms: Crime shouldn’t pay

Whether it’s a hack or a leak, the situation HBO finds itself in, at a time when it should be basking in the glorious return of some of its biggest properties, demonstrates how difficult it is for companies to lock their data down. Some of the actions HBO took in response to realising its data had been compromised, however, could be filed under ‘what not to do when you’ve been hacked’.

Having had its servers breached, HBO reportedly took the unusual step of agreeing to pay a $250,000 ransom disguised as a bug bounty payment. Variety obtained an email where an unnamed HBO executive offered to make a pay the sum, which was considerably less than what was being asked for, in order to appease the hackers and grant HBO more time to ascertain exactly what had happened.

“You have the advantage of having surprised us,” the email reads. “In the spirit of professional cooperation, we are asking you to extend your deadline for one week.”

“It's fairly obvious that paying ransoms is only going to encourage further such attacks.”

“Not being part of the HBO executive, it's hard to say whether they did the right thing for them. For the wider community, it's fairly obvious that paying ransoms (and even if you call it a bug bounty if you're being extorted or blackmailed into paying it, it is a ransom) is only going to encourage further such attacks,” says Grossman.

“I'd rather see them find other solutions and ways of handling such situations. People I've known who have been threatened with blackmail have opted to publish the information themselves before the blackmailer could do it, and HBO certainly could have done something like that, but there may be solid business reasons not to do it, such as sold rights and contracts.”

While it may have had an ulterior motive when it offered to pay the ransom/bug bounty, any company offering any method of payment is only going to tempt hackers to attack. Once a threat has been made it’s too late to offer a bug bounty payment, but if HBO hasn’t already then it certainly will look at utilising the intelligence and expertise of outsiders to help locate flaws and vulnerabilities in its system because, ultimately, that will strengthen its overall security.

At least we’re not Sony

While the HBO hack may have ruined a few people’s summer, the network will be thanking the Lord that it got off pretty Lightly (see what I did there) this time. Unlike the Sony hack of 2014, no embarrassing personal emails have seen the light of day, and the leaks of shows so far don’t seem to have put a dent in viewership.

In fact, hackers who billed this as a Game of Thrones breach appear to have very little data pertaining to HBO’s premium show, and having had their bluff called have been forced to walk away with their tails between their legs. For now anyway.

“It has been widely reported that there was a cyber incident at HBO. The hacker may continue to drop bits and pieces of stolen information in an attempt to generate media attention. That’s a game we’re not going to participate in,” said HBO in a statement to the press. “This incident has not deterred us from ensuring HBO continues to do what we do best.”

“Companies such as HBO can take precautions and implement robust technical and other solutions to ensure they are not perceived as the lowest hanging fruit within their industry.”

In the space of two months following the Sony hack the company suffered a further 20 breaches, so now is the time to be extra vigilant if you’re HBO. However, as Lee Munson, security researcher at Comparitech, points out for a company like HBO who, with or without the media attention that hacks provide, make content that dominate conversations and column inches, it really is nigh-on impossible to prevent against all attacks.

“While it is impossible to be 100% secure, companies such as HBO can take precautions and implement robust technical and other solutions to ensure they are not perceived as the lowest hanging fruit within their industry,” says Munson. “That said, it really is a case of when, not if, any organisation of note will be successfully attacked.”

So don’t expect either Sony, HBO or Netflix, who had episodes of its hit show Orange is the New Black leaked from a third-party production studio, to be the last examples of networks being breached and extorted.

“The biggest risk for the future may be that the criminals haven't quite gotten this figured out yet, and they haven't been attacking quite the right targets: Netflix and HBO ultimately haven't paid up,” says Grossman. “But I would expect them to keep trying until they do get the right targets.”